Sustainability of HIEs under CyberSecurity

Sustainability of HIEs under Cyber Security
The CERT Symposium on Cyber Security Incident
Management for Health Information Exchanges
Carnegie Mellon University's Posner Center
Pittsburgh, Pennsylvania
June 26, 2013

William “Buddy” Gillespie
Chair Business, Health Outcomes & HIE Committee, PAeHI
Director of HealthCare Solutions
Distributed Systems Services (DSS)
wgillespie@dsscorp.com

Sustainability of HIEs under Cyber Security
Agenda
• HIE Overview
• The Problem
• Concerns/Trends/HIMSS Survey
• Guidelines
• Architecture
• Medical Devices/Robotic Surgery
• Best Practices
• Future

HIE - Seven Sustainability Strategies
1 • Innovative stakeholder negotiations
2 • Building the right relations hospitals & payers
3 • Physician adoption as driver of sustainability
4 • Innovation to bring payers/providers together
5 • Innovative sources for fee income
6 • Stake Holders drive healthcare transformation
7 • Cyber Security Best Practice

Health Information Exchange
Services Provided
Majority Provide
• Clinical messaging
and Inquiry (CCD)
• PH Dept. reportable
conditions or
Immunization
Registry
Most Provide
• Had or planning
eRX, orders,
physician workflow
tools
• Six of 11 had or
planning low-cost,
Web-based certified
EHRS that meets
Meaningful Use
Unique Services
• INHS (WA) offers
shared IT services to
38 hospitals plus
majority of
physicians; others
use Virtual Private
Network
• MiHIN Resource
Services plans to
implement 7 sub-
state HIEs over 18
months.

HIE Cyber Security -The Problem
“Not only do medical EHR systems themselves pose security
risks, but the movement towards making patient data available
wherever they may access medical services, implemented
through participation in health information exchanges (HIEs),
exacerbates the level of risk by posing additional threat
vulnerabilities. HIEs face funding challenges due to the fact that
they lack clear-cut and profitable business models, and yet
federal grants and deadlines maintain a level of time pressure
for implementing these systems that do not allow for thorough
considerations of security………..”
Doug Pollack, strategy officer at ID Experts, responsible for strategy and innovation including prevention
analysis and response services. As a veteran in the technology industry, he has over 25 years of experience in computer
systems, software, and security concerns focusing on creating successful new products in new emerging markets.

HIE Cyber Security -The Problem
HIE

HIE Cyber Security -
Comparing HIE Models & Cyber Security
Integrated delivery
networks (IDNs)
•Organized by one Institution
•Hospital to connect its
physicians & provider partners
& ensures that hospitals and
physicians can participate in
Meaningful Use Incentive
•Costs are absorbed by
Institution & Hospital vendors
set up networks
•Examples: Pinnacle Health
System and Doylestown
Hospital
Community/Regional HIE
•Organized around one or more
medical referral regions with a
multi-stakeholder governing
body
•Fees are paid by the
stakeholders based on benefits
received & startup funding
coming from key stakeholders
or outside funding sources
(grants)
•Examples: Geisinger’s KeyHIE
and UPMC’s HIE are blended
IDN/Regional HIEs.
State-level HIE
• State geographic boundaries
• Responsible for addressing
barriers to HIE adoption
around privacy and security,
standards, and legal issues
with bordering states
• Funded by federal
government to include state
agencies such as Medicaid
and Public Health
• Example: Designation of a
state-level HIE in
Pennsylvania

PAeHI Research Studies and White Papers
Establishing
widespread
adoption of
electronic health
records and
electronic
prescribing in
Pennsylvania
(2008)
Ensuring privacy
and security of
Health Information
Exchange in
Pennsylvania
(2009)
Building a
Sustainable Model
for Health
Information
Exchange in
Pennsylvania
(2009)
Financing Research
and Framework
Development for a
Health Information
Exchange (2010)
10
paehi.org

HIE Cyber Security –
Internet Usage
• In 1995, 16 million users (0.4%)
• In 2010, 1.6 billion users (23.5%)

HIE Cyber Attack - Trends
• Increasing sophistication
• Decreasing costs
• Increasing attack frequency
• Difficulties in patching systems
• Increasing network connections, dependencies,
and trust relationships

Top Concerns
• Mobile Devices - BYOD
• Medical Devices/Robotic Surgery
• HIPAA & BAAs
• Internal & External Breaches
• Data Leakage
• Limits of Technology & Inadequate Security Systems
• Funding
• Patient’s Lack of Confidence
• Third Parties-Vendors
• Remote Connections

HIE Cyber Security -
Concepts of Information Assurance
• Confidentiality (privacy)
• Integrity (quality, accuracy, relevance)
• Availability (accessibility)

HIE Cyber Security – ONC Guidelines
• New privacy and security guidelines--aimed at protecting the vast
amount of healthcare information transmitted by state Health
Information Exchanges--are now in place.
• HIEs are networks intended to help states manage the electronic
exchange of health information among health care providers and
hospitals within their states and across state lines.
• Privacy and security policies are required as a condition of
accepting part of the $550 million federal grant money funding the
development of state-based HIEs.
“The guidelines, issued by the Office of the National Coordinator
for Health IT (ONC), provide a common set of "rules of the road"
designed to build confidence in the system on both the provider
and patient level”…….. ONC

• Under the new guidelines, state HIE grantees are
required to develop privacy and security policies
to address each of the fair information practice
principles as outlined by ONC.
• The principles include individual access to
information; the right to correct errors; openness
and transparency; collection, use and disclosure
limitations; security safeguards; data quality and
integrity; individual choice; and accountability.

• The ONC also noted that there was no "one size fits all"
approach when developing policy for HIEs.
– For example, some state HIEs merely serve as information
conduits, ensuring the secure exchange of identifiable
health information among health care providers, without
accessing or storing any of that data. This type of HIE
doesn't have to worry about data quality or providing
individuals access to copies of their health information or
to have errors corrected or noted.
– However, state HIEs that "store, assemble, or aggregate"
identifiable health information are required to develop
policies to address all of the fair information practices,
including data quality, individual access and the right to
correct errors

• If an HIE's current privacy and security policies
don't comply with the new requirements and
guidance, they have to be rewritten and a
timeline for making those changes given to the
ONC.
• The new requirements are consistent with the
recommendations developed and issued by the
Privacy and Security Tiger Team of the Federal
Health IT Policy Committee.

Privacy & Security Policies
• All of the information that passes through the
HIE is password protected and encrypted at its
source using state of the art tools to protect
the transmission and security of the data.
• Access to the network is monitored and
restricted to only those qualified medical
professionals who have demonstrated a need
to know the requested information.

Security Architecture
• The secure exchange of electronic health information is
important to the development of electronic health records
(EHRs) and to the improvement of the U.S. healthcare system.
• While the U.S. healthcare system is widely recognized as one
of the most clinically advanced in the world, costs continue to
rise, and often preventable medical errors occur.
• Health information technology (HIT), especially the
development of electronic health records for use in both
inpatient and ambulatory care settings, has the potential for
providing reliable access to health information and thereby
improving the healthcare system. However, the prospect of
storing, moving, and sharing health information in electronic
formats raises new challenges on how to ensure that the data
is adequately protected.

NHIN Security Architecture
• Protecting electronic patient health information is crucial to
developing systems and structures that support the exchange
of that information among healthcare providers, payers, and
consumers using Health Information Exchanges (HIEs).
• As noted in the Summary of the Nationwide Health
Information Network (NHIN) report from the Office of the
National Coordinator, "An important core competency of the
HIE is to maintain a trusting and supportive relationship with
the organizations that provide data to, and retrieve data from,
one another through the HIE. The trust requirement is met
through a combination of legal agreements, advocacy, and
technology for ensuring meaningful information interchange
in a way that has appropriate protections."

NIST Security Architecture
• NIST published "Security Architecture Design Process for
Health Information Exchanges (HIEs) (NISTIR 7497)" in
September 2010, to provide a systematic approach to
designing a technical security architecture for the exchange
of health information that leverages common government
and commercial practices and that demonstrates how
these practices can be applied to the development of HIEs.
• The publication assists organizations in ensuring that data
protection is adequately addressed throughout the system
development life cycle, and that these data protection
mechanisms are applied when the organization develops
technologies that enable the exchange of health
information.

Security Architecture
• The operating model outlined in the NIST
publication will help organizations that are
implementing HIEs to:
– Understand major regulations and business drivers.
– Identify cross-organizational enabling services.
– Define supporting business processes (for each
service).
– Develop notional architectures (as a blueprint to
support services, processes, and the selection of
technical solutions).
– Select technical solutions.

Medical Devices/Robotic Surgery
• Summary of Problem and Scope:
– Many medical devices contain configurable
embedded computer systems that can be
vulnerable to cyber security breaches.
– In addition, as medical devices are increasingly
interconnected, via the Internet, hospital
networks, other medical device, and
smartphones, there is an increased risk of cyber
security breaches, which could affect how a
medical device operates

Medical Devices/Robotic Surgery
• General Principles
– Manufacturers should develop a set of security
controls to assure medical device cyber security to
maintain information confidentiality, integrity,
and availability.

Medical Devices - FDA
• On June 13, 2013, in response to increased reports of computer viruses
and other cyber security breaches concerning medical devices and
hospital networks, the Food and Drug Administration (FDA) issued a
safety communication on cyber security for medical devices and hospital
networks and a new draft guidance document, "Content of Premarket
Submissions for Management of Cyber security in Medical Devices."
– As software has become increasingly prevalent in medical devices, allowing
for more sophisticated uses and networked connectivity, the cyber security
risks for these devices also have increased.
– Recognizing that these risks may impact device performance and safety, FDA
clarified that device manufacturers are responsible for identifying and
mitigating cyber security risks for their medical device products.
– Although the new draft guidance makes clear that FDA expects device
manufacturers to evaluate and address these issues for new devices going
forward, questions remain as to the extent of manufacturers' obligations for
cyber security risks affecting older devices, particularly with respect to
discontinued devices that are still in use but are no longer supported by a
device manufacturer.

• FDA acknowledges that the extent of security controls will
depend on the medical device, its use environment, and
the risks presented to patients by a potential security
breach, the draft guidance includes several general
recommendations.
– Manufacturers are encouraged to justify, in their submissions,
the security controls chosen, including the following:
• limiting access to trusted users only, particularly for life-sustaining
devices or devices that could be directly connected to hospital
networks;
• ensuring the trusted content of software by restricting software and
firmware updates to authenticated code, using systematic procedures
for authorized users to download the manufacturer's software and
firmware, and ensuring secure data transfer to and from the device;
• using "fail safe" modes to maintain a device's critical functionality,
even when the device's security has been compromised.

• FDA recommends that manufacturers include the
following with their submissions:
– Hazard analysis, mitigations, and design considerations to
identify and control cyber security risks; a traceability
matrix linking actual cyber security controls to the risks
considered;
– A systematic plan for providing validated updates and
patches to operating systems or software to update the
protections;
– Documentation to demonstrate that the device will be
provided free of malware to purchasers and users; and
– Instructions for use and specifications related to antivirus
software and/or firewall use appropriate for the device
and its use environment.

Medical Devices
• Cyber Security risk analysis and management plan as
part of the risk analysis required by 21 CFR 820.30(g):
• Identification of assets, threats, and vulnerabilities;
• Impact assessment of the threats and vulnerabilities on
device functionality;
• Assessment of the likelihood of a threat and of a
vulnerability being exploited;
• Determination of risk levels and suitable mitigation
strategies;
• Residual risk assessment and risk acceptance criteria.

FDA Recommendations for HIEs
• Restricting unauthorized access to the
network and networked medical devices.
• Making certain appropriate antivirus software
and firewalls are up-to-date.
• Monitoring network activity for unauthorized
use.

FDA Recommendations for HIEs
• Protecting individual network components through
routine and periodic evaluation, including updating
security patches and disabling all unnecessary ports
and services.
• Contacting the specific device manufacturer if you
think you may have a cyber security problem related to
a medical device. If you are unable to determine the
manufacturer or cannot contact the manufacturer, the
FDA and DHS ICS-CERT may be able to assist in
vulnerability reporting and resolution.
• Developing and evaluating strategies to maintain
critical functionality during adverse conditions.

ICS-CERT
• What is ICS-CERT?
– The Industrial Control Systems Cyber Emergency Response Team
(ICS-CERT) provides a control system security focus in
collaboration with US-CERT to:
• Conduct vulnerability and malware analysis
• Provide onsite support for incident response and forensic
analysis
• Provide situational awareness in the form of actionable
intelligence
• Coordinate the responsible disclosure of
vulnerabilities/mitigations
• Share and coordinate vulnerability information and threat
analysis through information products and alerts.

Best Practices
• Best Practices for Technology Environment
– Configuration Management
– Software Maintenance
– Operating Maintenance
• Mobile Device Management (BYOD)
• Security Culture
• Backup and DR
• Checklists and ITSM for all Elements

Best Practices
• Passwords & Strong Authentication
• Anti-Virus Software
• Firewall(s)
• Controlled Access to PHI
• Controlled Physical Access
• Limit Network Access
• Plan for the Unexpected

The Next Frontier
• Accountable Care Organizations (ACOs)
• Direct-HISPs
• Cloud Hosting
• Meaningful Use-Stage 2 and 3
• HIPAA Omnibus Bill

Expert Opinion
Camillla Hull Brown, Principal, Strategies for Tomorrow, Inc.
(sftvision.com)
“Cyber Security opens the doors for HIEs to cross geographic
boundaries if they successfully address Security issues in the
minds of users and participating organizations. Combined with
data exchange standards, this has the potential for some HIEs
to expand nationally establishing sustainability through
volume. Private, local or regional HIEs can thrive by accessing
additional data from the national HIEs while providing services
tailored to the needs of the local system or region. Put remote
devices in the hands of clinicians and patients, and the
benefits can be exponential. It's the think global, act local
concept”.

Reference Sites
HHS Office for Civil Rights website
(http://www.hhs.gov/ocr/privacy/hipaa/understanding/)
NIST 800 Series Special Publications (http://csrc.nist.gov/publications/PubsSPs.html) In
particular:
• NIST SP 800-36 Guide to Selecting Information Technology Security Products
• NIST SP 800-53 Recommended Security Controls for Federal Information Systems and
Organizations
• NIST SP 800-66 An Introductory Resource Guide for Implementing the Health
Insurance Portability and Accountability Act (HIPAA) Security Rule
• NIST SP 800-88 Guidelines for Media Sanitization
• NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices
• NIST SP 800-114 User's Guide to Securing External Devices for Telework and
Remote Access
• NIST SP 800-124 Guidelines on Cell Phone and PDA Security
44

Reference Sites
CYBER SECURITY Guide
The protection of data and systems in networks that connect to the
Internet
10 Best Practices
http://nyehealth.org/wp-content/uploads/2012/07/ONC_Cyber-
Security-Guide-V-1.0.pdf

Click to edit Master title style
Thank youThank you
Healthcare Solutions & Overview
William “Buddy” Gillespie
www.dsscorp.com
wgillespie@dsscorp.com
Discussion

Sustainability of HIEs under CyberSecurity

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Sustainability of HIEs under CyberSecurity

Similar to Sustainability of HIEs under CyberSecurity (20)

More from William Buddy Gillespie ITIL Certified

More from William Buddy Gillespie ITIL Certified (8)

Recently uploaded

Recently uploaded (20)

Sustainability of HIEs under CyberSecurity